Solved

Is a Windows 2003 Terminal Service session secure without a VPN connection?

Posted on 2007-11-23
2
443 Views
Last Modified: 2013-11-21
I need to connect two small offices over basic cable broadband connections.  The staff in office A will have a Windows 2003 Server w/ Terminal Services to host a series of applications and files.  The staff in office B will log in via terminal services to their accounts and use the applications/files.  

Is the terminal service connection (from login to logout) secure so that a VPN connection is not needed?  Are there any printing gotchas/concerns over terminal services which I should prepare for?

Other details:
- offices will merge to one single office space in one year (this office to office connection is temporary)
- at times staff may log into terminal service session from home
- both offices currently only have basic cable broadband internet access
- all printing will be local to the office where the user is located (users in office B will need to be able to printers local to the office B network; users in office B will not need to print to office A printers)
- offices are not in line of sight and are 10 miles apart
0
Comment
Question by:dandacci
2 Comments
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 500 total points
ID: 20341758
This is a question that people will debate all over and have different opinions on the answer. Here you have my own (and I know some here will probably bash me...).
RDP by itself is encrypted. The thing is, due to the way Microsoft implemented the encryption keys, it is subject to man in the middle attacks.
The thing is, all these years working with TS I am still to see one single customer that had a TS hacked when exposed to the internet. Not a single one.
So, do I think a VPN is needed? No.
You can implement, if you are paranoid, SecureRDP on the TS (freeware from 2X.com, that we developed before they acquired my company, Terminal-Services.NET) and customize the RDP client to have your own, unique version number and filter by that. Check this article I wrote:
http://www.msterminalservices.org/articles/Customizing-Microsoft-RDP-Client-Part1.html

And you can always install RecordTS on the terminal server (another software we wrote, now under my new company, TSFactory.com) and record everything that happens at the RDP level (in case you want to record someone trying to hack your TS).

For printing, a couple things to keep in mind:
1. Try to get a printer that is supported by native, out-of-the-box Windows Server 2003 drivers (meaning the drivers shipped with the OS, not requiring anything to be installed). These will work for sure.
2. Avoid host based printers (the ones that use the PC to do all the work normally done by the printer hardware).
3. Avoid as much as you can loading ANY printer driver on the TS UNLESS you have no other option.
4. Consider a product like UniPrint, SimplifyPrint or ThinPrint. They sure cost money BUT will save you a LOT of headaches with printing on TS.

And to wrap this up, TS is pretty good with bandwidth utilization BUT make sure your links are not heavily used for things like web browsing, email etc otherwise RDP will have to compete with everything else and performance will suffer.

Cheers,

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services

0
 

Author Closing Comment

by:dandacci
ID: 31410733
Thank you Claudio (tsmvp).  Your answer was clear and very helpful.  The printing might get tedious.  I will follow up on your suggestions.  Thank you again!!!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
DHCP scope restore question Server 2003 to 2012R2 6 81
VPN tunnel between Watchguard and OpenVPN? 1 85
question about running backups 3 68
Auto-launch VPN via Wifi 7 49
For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question